Summary
Environment
DUO Security
eID
Solution
Table of Contents
- What is VCU 2Factor Authentication?
- Registering with VCU 2Factor authentication
- Reactivating DUO Mobile
- Managing your two-factor devices
- Methods of Two-factor authentication
- DUO and CAS
- DUO and the VPN
- Generic Accounts
- No cellular or WiFi service
- Travel
- Blocked authentication in countries or regions subject to OFAC sanctions
What is VCU 2Factor Authentication?
In the cybersecurity field, three factors can be used to identify an individual to a computer system. These factors include:
-
Something you know (e.g., a user name, password, answer to a question)
-
Something you have (e.g., a phone, an ID card, or a hardware token)
-
Something you are (e.g., your fingerprint, retina/iris scan, or voice print)
Traditionally, the username and password model rely only on something you know, this is considered a single-factor authentication. The weakness with single-factor authentication using something you know is the fact that an adversary can usually find ways to steal this information, thus allowing the adversary to masquerade as the victim.
VCU 2Factor Authentication helps drastically reduce the use of stolen usernames and passwords. In addition to the username and password, VCU 2Factor relies on one or more other factors in proving and securing a user's identity.
All faculty, staff, and students must use the VCU 2Factor authentication system.
Registering with VCU 2Factor authentication
Individuals who have never used VCU 2Factor Authentication can use one of the following options as a guide:
- Watch the video for instructions on enrolling in the service: https://vcu.mediaspace.kaltura.com/media/DUO+Registration+During+VCU+Account+Claim/1_77ofubjz
- Follow the text instructions: How to enroll in DUO (if you have never used it)
Reactivating DUO Mobile
If you have enrolled in DUO previously and changed devices or numbers, visit the reactivate DUO Mobile knowledge article.
Managing your two-factor devices
You can manage your devices within eid.vcu.edu. You can delete and add new devices using the My Profile and Manage Security tabs. This video will show you how to manage 2FA Devices at VCU.
Lost Device
If you lost your phone, you should remotely wipe your phone if possible, and contact your cellular service provider and have your phone disabled. You should also report the incident to the police if the loss of the device is the result of suspected theft.
Once this is done, you should contact the VCU IT Support Center and have your phone removed from your account, a temporary and timed bypass code can be generated for you while you work with your cellular service provider to replace your phone. Once you have your new phone, then you will be able to re-register your phone with the VCU 2Factor Authentication system by contacting the IT Support Center.
Methods of Two-factor authentication
Push - DUO Mobile
By utilizing the DUO Mobile app, a push notification is sent to the user's device, and allows them to enter a passcode that is provided at the login screen. This method is recommended, as it offers the most ease of use for 2FA. The DUO Mobile app is available on iOS and Android.
The DUO Mobile app is compatible with:
- Android versions 10.0 and higher
- iOS 15.0 and higher (effective February 8, 2024)
- iOS 13 and older - Users running versions 13 and older cannot download the latest version of Duo Mobile from the App Store. This removal from the App Store does not affect mobile app authentications for users who have already downloaded the app. Additionally, Duo no longer provides troubleshooting support, bug fixes, maintenance fixes, or security updates for mobile devices running version 13 and older.
For a video tutorial on using the DUO Mobile App with DUO Verify Push, visit How to use Duo Universal Prompt?
Hardware/keychain token
Hardware / keychain tokens allow a user to generate a passcode from a USB-sized keychain, or it may be required to be plugged into the device/connected via NFC. The ITSC provides hardware tokens upon request, and they can be picked up in the Cabell Library ITSC location.
Enrolling with the DUO mobile app is the easiest method. If you do not have access to a smartphone, have a non-supported OS, or are otherwise unable to use the push option, please visit the How to request a DUO hardware token article.
NOTE: The same Hardware token cannot be used simultaneously between VCU and VCUHS applications. Each DUO profile requres a separate token.
Alternatives to DUO Mobile
| 2FA Method* | Developer | Model | I/O | Internet Required? | Works with RamsVPN? (Cisco AnyConnect) | Works with VCU Websites? (CAS, entraID, etc) | Cost | Where to get it? |
| Duo Mobile App** | DUO | - | Push | Yes | Yes | Yes | FREE | Google Play Store Apple App Store |
| Passcode | No | |||||||
| Security Key | Titan Security Key | NFC USB-C USB-A | No | No | Yes | $30 – $35 | Google Store | |
| Yubico | Security Key Series | NFC USB-C USB-A | $25 – $29 | Yubico Store Amazon.com | ||||
| YubiKey 5 Series | NFC USB-C USB-A Lightning | Yes | $50 – $75 | |||||
| Hardware Token | DUO | DUO-TOKEN | Passcode | No | Yes | Yes | FREE*** | VCU IT Support Center VCU fixIT |
*All methods require a first-time setup with an internet connection at https://eid.vcu.edu. For assistance, call 804-828-2227.
**Requires a compatible mobile device, such as a smartphone or tablet. For compatibility information, visit the App Store link in the chart above for your device's operating system.
***First time only. A replacement fee of $20 will be charged for lost, stolen, or physically damaged tokens. Tokens with dead batteries will be replaced at no cost if you bring the token back to us with a dead battery.
DUO and CAS
-
VCU 2Factor Authentication will be required for all faculty, staff, and students accessing applications protected by the Central Authentication Service (CAS) when logging in from unknown and or untrusted locations (e.g., off-campus).
- Once enrolled in the VCU 2Factor authentication service, 2factor authentication will be mandatory for any applications used by the individual.
-
VCU 2Factor authentication is integrated with all web applications using the VCU Central Authentication Service (CAS).
-
All individuals using VCU 2Factor Authentication with the Central Authentication Service (CAS) will have the option to remember their device for 60 days when logging in from an unknown and or untrusted location (e.g., off-campus)
- Clearing cookies on the browser resets all saved credentials.
- Saved sessions will not be carried into incognito/private browsing windows
DUO and the VPN
Duo/Two Factor Authentication is required when connecting to the VPN.
To enroll in Duo/Two Factor and access the server using RamsVPN:
- Enroll in DUO
- Download/Install the Cisco AnyConnect Secure Mobility Client.
- Connect using two-factor authentication with the AnyConnect client installed on your computer.
More information about VPN connection and configurations can be found at the RamsVPN page
Generic Accounts
All generic accounts must have a DUO profile associated with the generic account owner. The owner of the generic account will need to determine how access should be handled and submit a support request to VCU Collaboration Services if changes are needed or DUO authentication is not feasible for a generic account.
No cellular or WiFi service
The DUO app provides offline authentication options for times when you lack cell service or when using 2FA could cause you to incur extra cell phone charges, such as when you are traveling internationally. This can be a fall-back option if you have no connectivity via cell service or wifi connectivity.
-
- Simply open the app and tap the Virginia Commonwealth University profile
- Enter the code provided in the Passcode field of the Duo verification screen.
- NOTE: The code will refresh every 30 seconds
Travel
To take advantage of the options below, be sure to register your device(s) for use with your 2FA account (including, if applicable, downloading and installing the Duo Mobile App on your smartphone) before you begin your travel.
You can always use the passcodes generated by the Duo Mobile app on your smartphone or tablet even if you don't have cellular or WiFi service. If you absolutely do not have access to a device during travel, you can also request a hardware token to take with you from the IT Support Center before you depart
You can also contact the IT Support Center to generate a bypass code and set its validity period for the duration of travel.
Blocked authentication in countries or regions subject to OFAC sanctions
As of May 5, 2022, the University's 2-factor verification tool, Duo, will begin blocking authentications from users whose IP address originates in a country or region subject to economic and trade sanctions enforced by the U.S. Office of Foreign Assets Control (OFAC).
VCU Affiliates attempting to authenticate to 2Factor Duo-protected applications from the following OFAC-regulated countries or regions will be blocked from completing their login. They will receive an error message: "Access denied. DUO Security does not provide services in your current location."
- Cuba
- North Korea
- Iran
- Sudan
- Syria
- Crimea region
- Sevastopol region
- Donetsk region
- Luhansk region
This means that VCU affiliates based in or traveling to these countries or regions cannot access VCU's services (such as RAMS VPN, Gmail, Canvas, eServices, etc.) that require DUO authentication.